Uncovering How Hackers Use PHP Vulnerabilities to Launch Quasar RAT and XMRig Miners
Cybereason recently found evidence that this PHP flaw enables the deployment of Quasar RAT and XMRig miners.
This article reports what we know thus far and provides critical practical advice for cybersecurity professionals.
The Breach: How it Happens
The PHP flaw (CVE-2024-4577) attackers exploit is an argument injection vulnerability.
This it stems from incorrect handling of Windows command line arguments when PHP operates in CGI mode.
With successful exploitation, malicious actors could cause arbitrary code execution in affected systems.
Quasar RAT and XMRig Miners Involved
In Cybereason’s discovery, hackers used this PHP flaw to deploy Quasar RAT, a fully capable, open-source RAT developed for Windows that leverages TCP protocol for communication between the client and the server.
With Quasar, hackers can remotely administer and monitor infected systems, keystroke logging, and exfiltrate sensitive data.
Moreover, they found XMRig Miner deployment, open-source, cross-platform software used for mining Monero cryptocurrency.
By infecting systems with XMRig, attackers subtly siphon processing power, deploying a “cryptojacking” operation to mine cryptocurrency without the victim’s knowledge.
The Implications
This exploit threatens any Windows-based system running PHP in CGI mode.
With the sheer volume of PHP-based applications and websites, the potential damage could be extensive.
The illicit use of system resources for cryptocurrency mining can degrade system performance and increase electricity costs, while a Quasar RAT infection could lead to devastating data breaches.
Practical Advice for Cybersecurity Professionals
Firstly, security teams should ensure timely software patching to guard against known vulnerabilities.
PHP’s official website provides updates and patches, and in this specific incident, the vulnerability has been addressed in PHP 7.2.34, 7.3.23, and 7.4.11.
Furthermore, cybersecurity teams should monitor for abnormal system performance, unusual outbound network traffic, and unfamiliar processes.
Signs like these could indicate an ongoing XMRig Miner or Quasar RAT infection.
Conclusion
This exploit serves as a sobering reminder of the relentless creativity of cyber threats and the importance of maintaining a robust cybersecurity infrastructure that includes keeping software up-to-date and actively monitoring for unusual activity.
